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How to secure use of Web 2.0 



by Michael S. Mimoso 

You don't want to become the Pete Hoekstra of your company. 

Not that Pete's a bad guy. In fact, Rep. Hoekstra of Michigan has a distinguished legacy of service in politics and 
business, including a 2004 appointment as chairman of the House Permanent Select Committee on Intelligence, 
where he is the ranking Republican and still leads oversight on intelligence issues. He's a connected guy. 

And that's his problem. 

Early in February, Hoekstra flew into Iraq as part of a Congressional delegation's trip there, and to Afghanistan. 
Upon his arrival, he posted to his Twitter page that he'd just landed in the Iraqi capital of Baghdad and was 
stunned he had BlackBerry service for the first time in his 1 1 trips to Iraq. He later made posts about moving 
through the "Green Zone" via helicopter to the U.S. Embassy. 

So much for what was supposed to be a secret trip, and so much for keeping the sanctity of the delegation's it 
inerary. Hoekstra has close to 3,500 Twitter followers, and theoretically, each one knew of, and could share, his 
whereabouts in an instant. 

Such is the viral nature of social networking, and a prime example of the risk to sensitive corporate and private 
information presented by, what is for many, today's primary means of small talk. 

Tweeting, for instance, is becoming part of the professional lexicon, whether you work in the public or private 
sector. People are ever more connected socially via networks such as Twitter, Linkedln, Facebook and countless 
others. People who Twitter in their personal lives, for example, also tend to bring those 140-character Tweets into 
their professional lives, and the line can become blurred as to how much information becomes too much infor- 
mation. 

Paranoia? Not really. 

Take Linkedln, for example. Linkedln, for the uninitiated, is a professional networking service, a place where 
people are able to make business contacts, join others in similar industries in informal information- sharing 
groups, and ferret out new job prospects. It's also a haven for mining competitive intelligence. Threats expert 
Lenny Zeltser wrote recently for the SANS Internet Storm Center that attackers are checking out company profiles 
for title changes that would indicate strategy or organizational shifts. New hires show up on company profiles too; 
they're fresh meat for attackers because newbies aren't up to speed on company policy or security culture. 
Sophisticated attackers can also map organizations via these profiles in order to target attacks. 
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Web 2.0 has radically messed with the way information and even marketing material is disseminated and 
consumed. Twits (the affectionate nickname for folks on Twitter) scooped CNN.com on the January crash of 
USAir flight 1549 into the Hudson River. Blogs, RSS feeds and Craigslist have pushed newspapers and their day- 
old analysis of news to the brink of extinction. Many companies are building their brands via social networking, 
going as far as disseminating press releases and product announcements via Web 2.0. 

It's an immediacy not even email can offer. But like any business implement, there must be controls and finding a 
happy security balance between policy and technology is tricky. Banning social networking — and by extension, 
Web 2.0 -- in the enterprise is akin, as expert Marcus Ranum likes to say, to complaining after a horse has left an 
unlocked barn. The next-generation workforce has Web 2.0 neatly packed away in their backpacks and intends to 
use it at their desks; it's up to the security industry to work with business management to contain the threat of its 
side effects: information leakage, malware infestations and productivity drain. 

SERIOUS RISKS: MALWARE, DATA LEAKAGE 

User generated content is what separates today's Web 2.0 from yesterday's online experience. People love to share 
the most innocuous things with their online friends, download silly applications and manage what they believe to 
be their private space on the Internet. The companion truth is that attackers have followed their prey to social 
networking platforms, and are laying down phishing snares, infecting machines with ad-generating software and 
logging keystrokes. 

In the business world, the dangers to corporate secrets are growing. As business embraces these new mediums, the 
odds grow that someone could inadvertently spill secrets on a blog or collaboration portal, or follow links in a 
Facebook app to a phishing or malware site and either lose personal information or afford an attacker unfettered 
access to a corporate network. 

"In the old days, you put up content on a website and people can browse it. Hopefully, the website is under the 
control of one party and it's easier to inspect content and make sure it's legitimate," says Chenxi Wang, principal 
analyst at Forrester Research. "Now with social networking, you're involving a large number of parties who are all 
uploading content; it's very difficult to attain the same level of assurance." 

Wang says companies are getting less Draconian about social networking use inside the firewall. If there is a 
business purpose, it is allowed, even if it is restricted somewhat; it's also a useful in helping attracting younger 
workers. She points out that in some heavily regulated industries, such as financial services and health care where 
communication must be logged, policies are stricter on content that leaves over the Web. Webmail, i.e., Gmail and 
Yahoo, is a concern there, as are peer-to-peer file sharing resources and online storage containers such as 
Megaupload; knowledge workers could use these resources to circumvent policies on what types and how 
documents are allowed to leave the network (see "You're the Last to Know, below). 
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Workarounds: You're the Last To Know 



Users are ahead of IT when it comes to side-stepping Web 2.0 restrictions. 

DO YOU REALLY know the extent of what Web 2.0 sites are visited, or what tools are being installed 
on machines in your network? Your perception is probably counter to reality. 

While more organizations are making a business case for the capabilities found in Web 2.0 applica- 
tions, users for the most part aren't waiting for you to iron out your acceptable usage policies or lay 
out a list of permitted apps. They're forging ahead and using and installing a glut of Web 2.0 tools 
and applications such as peer-to-peer file sharing, Web conferencing and anonymiziers such as Tor, 
in addition to downloading user- generated applications from Facebook, MySpace and Linkedln. 
These end-arounds are increasingly exposing companies to data loss and malware infections. 

Face Time Communications recently asked IT and security managers at more than 80 enterprises 
how many and which Web 2.0 apps they believed were running in their networks. Their estimates are 
far lower than reality. For example: 60 percent believed users were actively doing social networking; 
54 percent thought P2P apps were installed and 15 percent were confident of the presence of 
anonymizers; when in fact there was 100 percent, or close to it, penetration of all of these tools and 
more, including Internet Protocol TV (IPTV), which streams mainstream television programming. 

"Hackers are following people, and moving to Web 2.0," says Face Time VP of product marketing 
Frank Cabri. "Threats are moving in parallel." 

And even when IT puts barriers in place — sites are blocked or restricted, or size limits put on email 
files -- users find other ways around them with the use of anonymizers or proxy servers such as 
Ultrasurf that bypass the corporate networks and policies banning visits to certain sites. Users want- 
ing to move restricted data off a network can upload their hard drives to a Web-based storage service 
such as Dropbox or Megaupload. These services also support encryption. 

"The problem is, IT is always the last one to know," says Palo Alto Networks VP of marketing Steve 
Mullaney. "The lack of visibility is the problem. You think you're stopping things by blocking 
MySpace, but younger people especially are going to be stopped for about two seconds. They're going 
to fire up Ultrasurf or use some encrypted proxy avoidance app that lets you do what you want." 
[END MARK] 

—Michael S. Mimoso 
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"I think companies need to be judicious about Web 2.0 adoption and usage; don't use anything the business 
doesn't call for," Wang says. "Really take a close look at the security treatment of new technology and whether it 
opens you to risk and whether you're prepared to handle or accept it." 

Jamie Gesswein wasn't willing to accept the risks that accompany social networking — not entirely any way. 
Gesswein, network security engineer for Children's Hospital of The King's Daughters in Norfolk, Va., says only a 
handful of public relations and marketing employees have access to social networking sites; the business case 
being that they need such access to monitor blogs and the like for mentions of the hospital. 

"The biggest concerns were downloading malware and data leakage too," Gesswein says. Hospital staff aren't the 
only people with Internet access at the hospital; its young patients are allowed to bring in their laptops and access 
the Net via a guest wireless network. But even then, MySpace, Facebook and the like are blocked. 

"We get a lot of calls from nurses and administrators asking us to allow access to kids to Facebook and MySpace, 
but we've stuck to our guns and not allowed it," Gesswein says. "I don't need a 7-year-old in the hospital accessing 
MySpace." 

Organizations need to train users about which of their actions online pose the biggest risks. 

"Don't click on links in Facebook, or on wikis or blogs," says Tim Roddy, senior director of product marketing at 
McAfee. "There's a real danger is you don't know who posted the content there. Most organizations have data 
security policies, but those need to be updated to include whether you can use web-based email to send informa- 
tion, or you can post to a blog. It's an awareness issue for employees because most data leakage isn't deliberate. 
Look at what's being posted; people shouldn't be blogging about their company — period." 

A bigger driver is federal and industry regulation; for Children's Hospital of the King's Daughters, it's HIPAA 
compliance. With stringent watch on patient privacy in the health care industry, compliance helps drive the 
message home to upper management of the importance of data protection and get their backing to shut down as 
many egress points as possible. 

Still, deny-by- default isn't going to work forever. Information Security magazine's annual Priorities 2009 survey 
tends to back up this trend. More than 660 responded to a question about social networking, and 42 percent say 
they ban it entirely. Of the 58 percent that don't, only 9 percent said they allowed unrestricted access 
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"In general, things are loosening up," Forrester's Wang says. "More people are saying it's useful for business pur- 
poses. And more people are allowing them to attract younger workers. It really depends on the company culture." 

Clearly, a mix of technology and policy is the most sensible road to travel for many companies. Web security 
gateways that address not only antimalware, but URL and content filtering are being turned on social networking 
sites in order to catch private data such as credit card or Social Security numbers, or certain keywords that would 
indicate a corporate secret could be heading through the pipes onto the Web. 

"The better weapon is to have the technology in place, but without policy, it would be moot," says Gesswein, who 
has a Sophos WS 1000 Web appliance installed on the hospital's network. The appliance, and others like it, 
inspects inbound and outbound traffic and compares it to policy, allows granular control over Web content and 
also includes an anonymizing proxy detection technology that sniffs out proxy servers more savvy users could use 
to sneak out confidential data through, for example, personal webmail accounts. "We have the ability to show the 
management what is going on in the network, what is being protected and how." 

Gesswein struggles with that balance of providing access and enforcing policy. Doctors, like others in many 
industries, can collaborate online with peers via social networking sites. Medical collaboration sites and message 
boards, blogs and wikis are invaluable tools in speeding up patient care. Gesswein acknowledges that more staff 
members are also accessing information via personal devices such as BlackBerries and iPhones. 

"The hardest thing is to have to keep telling myself that there has to be a balance. In a perfect world as a security 
person, everything is blocked, nothing is allowed. But in reality, we have to make money to stay alive. In order for 
them to make that money more efficiently, they need this technology in place, have access to information and be 
able to send and receive and talk to people more effectively. That balance between security and giving them this 
ability is tough. If you have to have this type of access and technology, let me work with you to figure out how I 
can protect the information and also at the same time, get you what you want." 
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MONITOR OUTBOUND CONTENT 

Web 2.0 security isn't just about social networking and leaking secrets inadvertently on a blog post. Online 
productivity suites such as those afforded by Google apps are attractive no-cost options for organizations seeking 
free email, word processing, spreadsheets and document-sharing capabilities. Problems arise on these platforms 
from the lack of oversight, especially when they're used departmentally, or even by select individuals on a project. 

Greenhill & Co., a small investment banking firm in New York, needed to get a handle on users accessing and 
moving documents on webmail services such as Gmail, Hotmail and others. John Shaffer, vice president of IT, 
says Sarbanes-Oxley auditors were looking at this risk and how it was being mitigated. Worse, he didn't want to 
see documents such as compensation spreadsheets leaking outside his organization via Gmail or Google docs. 

"We had two choices: capture HTTP mail, or block it. We blocked it as opposed to archiving external email," 
Shaffer says, adding that users were hurdling port-blocking firewalls by using SSL. The organization moved in 
Palo Alto Networks' PA series firewalls that consolidated threat protection and content filtering into one box. 
Shaffer had the visibility he needed to satisfy auditors and learn exactly what users were up to, especially over 
Gmail. He could also then set blocking policies per user via Active Directory. 

"Data leakage was a big concern. We wanted to make sure people were not attaching spreadsheets," Shaffer says. 
"There are a number of ways to get data out of a network. We're at least making a best effort to get out to some. 
When we get audited and go through the whole Sarbanes-Oxley process, that's one of the things they're looking 
at." 

While Gmail and Google Docs are free applications, enterprise versions provide some management and security 
capabilities that enterprises could use to rein in users via policy controls. 

"If we are talking about a vendor that is providing collaboration services for corporations, you have to expect a 
very stringent policy control interface for me to say this type of document can be shared to this group, but not 
outside. Or, this document lives on a server for this long, but then is deleted," says Wang. "I haven't seen a lot of 
collaboration sites that offer this type of elaborate policy control interface to users. People like Google have to 
work on it. If they are trying to break into the enterprise, policy control is important." 

Wang acknowledges that monitoring outbound content is difficult, but sees that trend spiking in a positive 
direction as more content security vendors acquire data leak prevention tools. 

"There's a lot more going on around outbound data filtering," Wang says. "In the old days, it was all about filter- 
ing inbound email. Today, content filtering and webmail filtering is taking on more of a business context. We want 
to look at outbound content; what kind of mail you're sending out, attachments too, as well as Facebook and 
MySpace and what you're posting there. A lot of secure Web gateways have primitive abilities to recognize struc- 
tured data. They're not as sophisticated enough to block corporate secrets, for example. That's in a fairly early 
stage. But that's the direction vendors are working hard toward." 
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The good news is that, yes, vendors and CISOs are looking at Web 2.0 security and the consequences of user 
behaviors online. Social networking presents security and productivity issues that run counter to growing 
business uses for these tools. Enterprises see a marketing value in Web 2.0 outlets such as Facebook, Twitter and 
Linkedln. Younger people entering the workforce are used to having these sites and this kind of connectivity at 
their disposal, and expect it as part of their professional existence. 

CISOs, as with any new online phenomenon, have to find that precious balance between security and productivi- 
ty. Risk must be offset with a mix of policy and technology, and users must be educated so that important 
information isn't inadvertently leaked online and the next Pete Hoekstra doesn't work within your company's 
four walls. 



Michael S. Mimoso is Editor of Information Security. Send comments on this article to 
feedback@info security mag. com. 



Page 9 of 19 



FIRST HALF OF 2009 SHOWS A 



STEEP RISE IN 




ON SOCIAL NETWORKING SITES 



Download the Web Hacking Incidents Database (WHID) 2009: Bi-Annual Report 

today at www.breach.com/WHID2009 to learn more about the latest in web application security! 





BREACH 



Breach Security, Inc. | Corporate Headquarters | 2075 Las Palmas Drive | Carlsbad, CA 92011 
tel: +1 760 268 1924 | toll-free: +1 866 205 7032 | fax: +1 760 454 1746 | www.breach.com 






SearchSecurity.com 



Protecting Against Web Threats 

Twitter risks, Facebook threats trouble security pros 



Twitter risks, Facebook threats trouble security pros 



By Eric Ogren 

The explosive growth in social networking has positioned many security teams solidly between a rock and a hard 
place. On the one hand, conscientious security executives cannot ignore the data loss and regulatory compliance 
risks to the corporation; on the other hand, security cannot politically survive by categorically objecting to other 
organizations innovative use of new business tools. 

According to a recent Websense Inc. survey, the decision has already been made by the business units with 86% of 
IT respondents reporting pressure to allow more social networking in the business. The message resonates loud 
and clear to security: Resistance to advances in technology is futile; find secure ways that business can move for- 
ward. 

More and more data is hosted outside of corporate data centers, with that data being accessed by end users via 
Internet protocols from within office buildings, personal computers at home, or anywhere/anytime mobile 
devices such as Apple iPhones. Enterprises are increasing investments in the use of social networking websites as a 
cost effective means of collaborating with prospects, customers, employees and partners. Facebook is hardly the 
sanctuary for the latest generation, as demographically its user base consists of professionals between ages 25 and 
35. There is also the 1382% year- over-year growth rate in Twitter and the reported 152 million users watching 
16.8 billion online videos on social networks that security has to contend with. Social networking is already 
ubiquitous and it is silly for IT to take a negative stand against these strong trends. But Twitter risks and Facebook 
threats are real. The best approach for security is to work with the business organizations to help make use of 
social websites as safe as possible while acknowledging that there are risks involved. 

Educate employees and business partners on social networking risks. Web security training is a must, in 
many ways, the use of social websites follows the same common sense rules as using the telephone, showing 
business documents, or other settings that occur outside the confines of the office building. Security should be 
conducting regular communications on responsible handling of confidential data, the dangers of following 
suspicious links on social websites and make resources available if they have any questions or need help with 
recovery from a security incident. Employees should also know that in highly regulated industries, such as finance 
with stringent auditing requirements, violations of acceptable behavior policies may result in termination. 

Allocate a percentage of security time to audit social networking sites for the presence of 
Confidential information. The business does not need to be surprised by confidential data residing in public 
locations or fail to understand which social websites are the leading sources of malware. Reinforce the education 
program by actively searching for confidential data on pages of social websites, blog postings and comments, and 
monitoring security services for websites with unacceptable reputations. It is far better for security teams to spend 
time on prevention, than it is to spend time cleaning up a problem. 
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Introduce technology when appropriate. The business will be competing via social networks long before 
refined security tools are available. Eventually, security features will become available that can help the organiza- 
tion use social websites without unduly increasing the risk of data loss or exposure to malware. For instance, 
Facebook Publisher now allows the user more granular control over content sharing, which may help companies 
use Facebook with restrictions on who is authorized to view the content, which is a fair trade-off for business 
users. Bandwidth management products can be useful in throttling back video and audio streams to preserve 
network bandwidth for priority business applications without IT having to deny access to users. 

Security needs to have procedures in place for protecting the company as users gravitate towards new applications 
or cool personal devices. For most, those procedures start with Web security training on risks and acceptable 
behavior followed by audits of education and finally technology assistance once security and administration 
requirements become understood. Security cannot slow down the Twitter phenomenon, but it can act before an 
insider tweets to tout the company stock. 



Eric Ogren is founder and principal analyst of the Ogren Group , which provides industry analyst services for vendors 
focusing on virtualization and security. Prior to founding the Ogren Group , Eric served as a security industry analyst 
for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena , 
Sequation and Tizor. He can he reached by sending an email to eric@ogrengroup.com. 
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IT pros can detect, prevent website vulnerabilities, thwart attacks 



By Eric Ogren 

IT is left to its own ingenuity to weave diverse products into a Web security protection scheme. Security practi- 
tioners will have to categorize externally facing websites and then make security investment decisions among 
technologies such as scanners, penetration testers, Web application firewalls, source code scanning and security 
development lifecycle (SDL) investment. There is no one best practice when protecting websites, which is a 
worrisome state for businesses and helps explain why security vendors report that most attacks penetrate 
browsers through infected webpages. 

Companies that invest in finding and patching website vulnerabilities are ahead of the game. WhiteHat, a Web 
application scanning service vendor, reports that 63% of websites have a high, critical or urgent security issue. 
There are a few more important interfaces between a business and its customers and supply chain, yet websites are 
now the leading attack targets for malicious code such as cross-site scripting (XSS). WhiteHat's research into 
website vulnerabilities shows that security is a vexing issue that security vendors struggle to contain. 

In time vendors will integrate offerings to form a cohesive set of security tools for IT. For instance, the day will 
come when source code passes through SDL tests that include a parameter description language to optimize Web 
application firewall features. Meanwhile, security teams need to utilize a variety of mechanisms to control the 
security profile of their websites. 

Vulnerability scanning. Website vulnerability scanners discover websites and scan them for known vulnerabili- 
ties. The list of discovered vulnerabilities feeds software maintenance teams, possibly helps tune Web application 
firewalls and provides IT with an objective measurement of the security health of corporate websites. Website 
auditing, achieved with vulnerability scanning, is a core competency all businesses should be utilizing. 

Penetration testing. Similar to vulnerability scanning, penetration testing also varies input parameters from 
browser scripts to detect weaknesses in the business logic expressed by the application code. Consumer oriented 
websites should pass penetration tests before production deployment. 

SDL and source code security scanning. Correcting vulnerabilities in the source code is the preferred method 
when feasible. Approaches that integrate security scanning with source code libraries can help ensure a vulnerabil- 
ity is fixed across all corporate websites. However, other than the expense of code management systems, business- 
es hate to invest security maintenance resources in legacy applications, and in many cases the source code is 
owned by a vendor. White Hat's findings that a XSS vulnerability is averaging 58 days to fix indicates that security 
needs to augment source code corrections. 

Web application firewalls. WAFs are devices residing in the data path between the user and the website to ana- 
lyze http traffic, block attacks and prevent data leakage. WAFs can be effective in blocking attacks, but they need 
periodic tuning to keep in sync with the Web application, and not all websites merit the expense of a Web 
application firewall. 
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Browsers. The most popular browsers have features designed to reduce the risk of XSS attacks. Be sure end users 
of Microsoft IE8 are running the XSS filter and users of Mozilla Firefox have deployed the XSS Me add-on. 

Application whitelists. IT can record the configuration of an approved website and application whitelists can 
detect and block unauthorized changes to the server environment. 

Categorize all Web servers according to business risk. There will not be enough money budgeted to apply all of 
the above methods to every website. Prioritize websites by importance to the business, susceptibility to website 
vulnerabilities (e.g. complexity) and practicality of each security technology. 

Four leaf clovers. (Only slightly tongue-in-cheek.) Assume all websites are vulnerable and will be exploited. Put 
processes in place to detect the presence of malicious code to limit the damage of a successful attack and preplan 
to take action in event of a breach. A little luck is always a good thing ;). 



Eric Ogren is founder and principal analyst of the Ogren Group , which provides industry analyst services for vendors 
focusing on virtualization and security Prior to founding the Ogren Group , Eric served as a security industry analyst 
for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena , 
Sequation and Tizor. He can be reached by sending an email to eric@ogrengroup.com. 
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Peter Giannoulis 

Malicious malware has been a problem as far back as any of us can remember. As seen with the latest Storm 
Trojan, this trend does not seem to be slowing down. Yet the malware problem could soon be dwarfed by the 
growing wave of attackers stealing mountains of confidential information by exploiting vulnerable Web applica- 
tion servers. 

Why are Web application servers targets for attack? They are publicly accessible and tie into back-end database 
servers, which store a gold mine of information for criminals. How are attackers' cracking into back-end database 
servers using front-end Web applications? Here are a few of the most popular methods. 

SQL injection 

SQL injection attacks are becoming a popular vector for stealing confidential information on the Internet. An 
SQL injection involves an attacker inputting a SQL query in a search field of a Web form. If the query is accepted 
by the Web application, it's passed to the back-end database where it's executed, if read/write access is granted 
from the Web application to the database server. This could result in two scenarios; the attacker viewing the 
contents of the database, or deleting the contents of the database. Neither instance is good. 

Contrary to popular belief, SQL injection attacks do not require advanced knowledge. In essence, these attacks 
can be performed by anybody with a basic understanding of SQL and a list of queries that are available on the 
Internet. 

Blind SQL injection 

Blind SQL injection is another method of launching attacks, but with a slightly different approach. When 
performing a standard SQL injection, an attacker inserts a SQL query into a Web application, hoping it will cause 
the server to return an error message. These error messages can grant the attacker the necessary knowledge 
needed to perform a more precise attack. Database administrators have been led to believe that sanitizing error 
messages would correct the underlying issue that caused SQL injection. What administrators have failed to realize 
is that although this conceals the error message, the vulnerability still exists. It's a tad tougher for the attacker, but 
instead of using error messages to gather information, the attacker flies blind and sends crafted SQL queries to the 
server, hoping to gain access to the database. 

Cross-site scripting 

Cross-site scripting, otherwise known as XSS or CSS, is a technique used by malicious hackers to compromise 
vulnerabilities in a Web application that serves dynamic Web pages. Many of today's Web sites are serving up 
dynamic pages that consist of information from multiple sources built "on-the-fly" for the user. If the webmaster 
is not careful, malicious content can be injected into the Web page to gather confidential material or simply 
execute on users' systems. 
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Countermeasures 

There are many countermeasures for thwarting Web application server attacks. Awareness is definitely among the 
most important. Many organizations are focusing on the preventative measures that need to be applied without 
trying to learn how these attacks are performed. Not understanding how Web application server attacks work 
makes countermeasures ineffective, and simply tossing firewalls and intrusion prevention systems at the problem 
won't help. For instance, if your Web application server is not filtering user input, you can easily be subjected to 
the types of attacks mentioned above. 

Another key to staying ahead of attackers is to conduct a thorough audit of your Web applications on a regular 
basis. Johannes Ullrich wrote a great article on how to audit your Web application over lunch using some simple 
techniques and Firefox plug-ins. 



About the author 

Peter Giannoulis , GSEC , GCIH , GCM, GCFA , CISSP \ is an information security consultant for Access 2 Networks , a 
Toronto , Ontario based security consulting firm. He also serves as a technical director for GIAC. 
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Learn more at bluecoat.com/controlisyours 



BlueOCoat 
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CONTROL IS YOURS™ 





£) SearchSecurity.com 



Protecting Against Web Threats 

Resources from our Sponsors 



Sponsor Resources 




B pcAru 

l\ Sunni fl I 1 



Breach Security 

◄ Products 

◄ Solutions 

◄ Resources 




REDSPIN 

INFORMATION SECURITY ASSESSMENTS 



Redspin, Inc. 

◄ Ma p ping A p plication Security To Business Value: Considerations And Recommendations For IT 
And Business Decision Makers 

◄ What Executives Need To Know About Web Application Development Security 

◄ What Internal Data Can a Hacker Access On Your Network Via Your Website? 



Blue Q Coat 

Blue Coat 

◄ Protecting Against The Wave of Web Threats 

◄ Addressing Web Threats 

◄ Stopping Malware Attacks Before They Impact User Desktops 
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